European Experts Exchange (EEE.org) :: Free Experts PHP MySql Oracle Microsoft Web SQL Delphi


Languages :: PHP :: Working with Sessions
By: xedstr	Date: 30/05/2003 00:00:00	Points: 500	Status: Answered Quality : Excellent
Hi, I want to make my website secure. I already created a page for login which is working fine. Now I want to create different Sessions : 1) for the registrated users. 2) for the administrator of the site (me and some friends). The users and the administrators have access to multiple pages. Can anyone give me an explanation on how to work with sessions + some examples to work out? Thanks, EDS
By: VGR	Date: 30/05/2003 22:57:00		Type : Comment
just do this : <?php // your script begins here session_start(); // the rest of your script is there // when successfully logging in, just set $_SESSION['isadmin'] to 1 or 0 to differentiate admins and users // all scripts sharing the session info must have session_start(); at the beginning. That's all. ?>

By: carchitect	Date: 30/05/2003 23:15:00		Type : Comment
VGR is always right but VGR i think this guy needs some more than that i mean how to implement..... login page --------------- Form contains username/password...\ validate page ------------- validate and chaeck user type from database like he has got admin rights or guest rights or any pother thing now in each file use session_start() before any other function.....and in validate put $_SESSION['user_type']="1" or "2" or whatever now where ever you go check $_SESSION['user_type'] value in that page if it is 1 allow him to work if it is ot give him message that you are not allowed regards

By: sumotimor	Date: 30/05/2003 23:39:00		Type : Comment
Right, I like to store the entire user record in the array after logging in. # validateLogin.php session_start(); if ($_SESSION['THIS_USER']) echo ("You are already logged in!"); $username = $_REQUEST['username']; $password = $_REQUEST['password']; if (empty($username) \|\| empty($password)) die ("Enter username AND password"); $query = "SELECT * from user where username='$username' AND password='$password'"; $result = mysql_query($query); if (mysql_num_rows($result) != 1) die ("login failed"); $_SESSION['THIS_USER'] = mysql_fetch_assoc($result); header("location: welcome.php"); # welcome.php session_start(); echo ("Welcome, " . $_SESSION['THIS_USER']['firstname'] . "!"); if ($_SESSION['THIS_USER']['isAdmin']) showAdminMenu();

By: AI_Agent	Date: 31/05/2003 00:19:00		Type : Comment
See if this helps you <A HREF="http://www.phpfreaks.com/tutorials/41/0.php">http://www.phpfreaks.com/tutorials/41/0.php</a>

By: Cyclops3590	Date: 31/05/2003 00:55:00		Type : Comment
As for sumotimor's code he gave, I would change only one thing: The line that is this: $query = "SELECT * from user where username='$username' AND password='$password'"; should be: $query = "SELECT * from user where username='$username' AND password=password($password)"; And when you insert the password you should use the MySQL password() function to encrypt the password The second thing I recommend is the when you retrieve the form variables instead of using $password or $username you should use $_POST['password'] and $_POST['username'] that way you know your grabbing the variables from the correct scope Sorry for the off topic post, but making a secure db and more correct code I feel is essential to a quality site.

By: mattjp88	Date: 31/05/2003 01:41:00		Type : Comment
ok if your using sessions right now, and your storing your username and other crap in the session ($_SESSION['username']="mattjp88";) then just make a function names check_admin() and just have an array of all the people that you want to allow admin privalages to and then just use in_array($_SESSION['username']) to check if the person logged in has admin capabilities. so this is what check_admin should look like: <? function check_admin { $admin[0]="user1"; $admin[1]="user2"; $admin[2]="user3"; $admin[3]="user4"; $admin[4]="user5"; session_start(); if (in_array("$_SESSION['username']", "$admin")) {return 1;} else {return 0;} } ?> so you can put that in a file and include that in your pages that you want to check if the person is an admin and then this is how you would do that: <? include "admin_check.php"; if (check_admin==1) {echo "Your an admin";} else {echo "Your a normal user";} ?> or you could just do that check at the login and then store weather the user is an admin or not in a session ($_SESSION['isadmin']=="yes"). if you want me to intergrate the check into your login script i will do that. its quite simple. -Matt

By: xedstr	Date: 31/05/2003 17:32:00		Type : Comment
I'm not getting out of it... I send hereby the code I use for the login (partly). It generates a standard login-screen where the user gives his user-id and password. How do I combine my code with a session? Thanks for any help, EDS *************** CODE : <?php $auth = false; $id="0"; if (isset( $PHP_AUTH_USER ) && isset($PHP_AUTH_PW)) { // Connect to MySQL $con=mysql_connect( "localhost", "ggg", "agol" ) or die ( 'Unable to connect to server.' ); mysql_select_db( "g3sg7") or die ( 'Unable to select database.' ); // Formulate the query $sql = "SELECT * FROM person WHERE email = '$PHP_AUTH_USER' AND password = '$PHP_AUTH_PW'"; $result = mysql_query( $sql ) or die ( 'Unable to execute query.' ); $num = mysql_numrows( $result ); if ( $num != 0 ) { $auth = true; $result = mysql_query($sql); $myrow = mysql_fetch_array($result); $id = $myrow["PERSON_ID"]; } } if ( !$auth ) {// if not succesful login header( 'WWW-Authenticate: Basic realm="Private"' ); header( 'HTTP/1.0 401 Unauthorized' ); echo ' </strong>!<br /> <html> <head> // etc. ....... } else { // here follows code for succesfull login

By: VGR	Date: 31/05/2003 17:37:00		Type : Comment
and where is the session_start(); we told you to put in ?

By: xedstr	Date: 31/05/2003 17:59:00		Type : Comment
Session_start(); => I did put it above the page like this : <?php session_start(); header("Cache-control: private"); // IE 6 Fix. $auth = false; // Veronderstel dat gebruiker niet is geauthentificeerd $id="0"; And the other part of the code right after a succesfull login in : } else { $_SESSION['user_type']="1"; => This creates a '!' char on the left corner of my screen and I can't lon in with the login-screen... Any suggestions? EDS

By: VGR	Date: 31/05/2003 18:06:00		Type : Answer
ok, you're trying to use the HTTP Basic Authentication. You shouldn't. Not this way at least. Either stick with the schema proivided in the Apache documentation (or PHP documentation : <A HREF="http://www.php.net/manual/en/features.http-auth.php">http://www.php.net/manual/en/features.http-auth.php</a> - read espcially the users' comments) or don't use HTTP Authentication but just this kind of stuff : // login/password identification session_start(); $SCRIPT_NAME=$_SERVER['SCRIPT_NAME']; // useless if register_globals=On in php.ini if (!isset($_POST['auth'])) { echo "Enter pseudo and password\n"; echo <<<EOS <FORM METHOD="POST" ACTION=$SCRIPT_NAME> pseudonyme <INPUT border=0 TYPE=text NAME=locPseu VALUE="" SIZE=20 MAXLENGTH=48>   password <INPUT border=0 TYPE=password NAME=locPW VALUE="" SIZE=8 MAXLENGTH=8>   <INPUT border=0 TYPE=submit NAME="auth" VALUE="Send"> </FORM> EOS; exit; } // else pass below //$auth is set $locPseu=$_POST['locPseu']; // f@#ing register_globals=Off ! $locPW=$_POST['locPW']; // f@#ing register_globals=Off ! // the user asked to be $locPseu $_SESSION['sess_admin']="0"; // plus other default values for session data like $_SESSION['sess_pseudo']='visiteur'; // check or stay $linkID=mysql_pconnect("$dbHost","$dbLogin","$dbPassword") or die ("bad connect".mysql_error()); mysql_select_db($dbName,$linkID) or die ("bad select DB ".mysql_error()); $query="select * from $dbTableUsers where pseudo='$locPseu'"; $result=mysql_query($query,$linkID) or die ("bad query index user 1 ".mysql_error()); if($res=mysql_fetch_array($result)) { // check password for that user $locPseu=$res["pseudo"]; // fix pseudo case, etc $query="select * from $dbTableUsers where pseudo='$locPseu' AND password='$locPW'"; $result=mysql_query($query,$linkID) or die ("bad query index user 2 ".mysql_error()); if($res=mysql_fetch_array($result)) { // positive identification $_SESSION['sess_admin']=$res["boolAdmin"]; // + other data } else { // invalid password // si non, rejet echo "Bad password... "; exit; // stops script } // if user/pw exists } // if user exists // else user did not exist, I allow access as reader (user)

By: xedstr	Date: 31/05/2003 18:33:00		Type : Comment
Okay, this part is working. But, how to control each other page that the registrated user or admin may enter? EDS

By: VGR	Date: 01/06/2003 19:51:00		Type : Comment
very easily. On each page accessible only to admins (for example, 'cause yu may refine this to a lot of levels of access rights, for example with a session variable "userlevel" from 0 (user), 1 (confidence people), 2 (sysops), 3 (admins), 4 (super-admin) etc etc ) <?php session_start(); // every page needs this or it won't work if ($_SESSION['sess_admin']==0) Header('Location: index.php'); // redirect to index page // else continue with the page's code... ?> or <?php session_start(); // every page needs this or it won't work $thispagelevel=3; if ($_SESSION['userlevel']<$thispagelevel) Header('Location: index.php?reason=notallowed'); // redirect to index page, where you can print 'not allowed' depending on $_GET['reason'] // else continue with the page's code... ?>

Do register to be able to answer

©2010 These pages are served without commercial sponsorship. (No popup ads, etc...). Bandwidth abuse increases hosting cost forcing sponsorship or shutdown. This server aggressively defends against automated copying for any reason including offline viewing, duplication, etc... Please respect this requirement and DO NOT RIP THIS SITE.
Please DO link to this page! Post to Plurk Post to Yahoo Buzz Post to Delicious Post to Digg Post to MySpace Post to Ping.fm Post to Reddit Post to StumbleUpon

Contact

page generated in 303.875920 milliseconds

Why Google AdSense ads ?

New Improved Search!